Since our current pricing was established over 7 years ago there have been many changes both in the Hosted CTFd feature set and global economic forces. Our underlying costs have increased and we are updating our pricing to better reflect those new costs as well as better support our users.…
CTFd 3.7.5 has been released with a security fix for an issue where a user could change their own bracket after registration. Depending on how brackets are used this could affect external systems/processes that relied on the integrity of bracket assignments. CTFd 3.7.5 also converts…
CTFd 3.7.4 has been released with a security fix for a vulnerability where an attacker could perform a Denial of Service against a CTFd instance. CTFd v2.2.0 to v3.7.3 are affected. We recommend all CTFd users update their instance to v3.7.4. If…
CTFd 3.7.3 has been released with a security fix for a vulnerability where an attacker could determine the names of accounts that had solved a challenge even though CTFd was configured to hide account information. v3.7.3 has already been deployed to Hosted CTFd customers. Self-hosted users…
CTFd 3.7.2 has been released with a security fix for a vulnerability where an attacker could extract flags from CTFd provided that an admin interacted with a malicious page. To mitigate the above vulnerability, CTFd will no longer return 404s in paginated listing pages and API endpoints. For…
CTFd 3.7.0 has been released with the introduction of scoring brackets and the social sharing system. We have also completely removed webpack from CTFd in favor of Vite.…
CTFd v3.6.0 has been released with some highly requested features! This release has been long in the making with foundations being laid since the previous minor release. Significant changes have been made across many layers of CTFd to fulfill the headline feature which is Translations and Internalization (i18n)…
Tourist is an HTTP API around Microsoft Playwright that lets us offload the work of browser interaction to a dedicated service. Instead of bundling the browser with every challenge, we can just make HTTP queries to a dedicated service from the challenge.…